What's New?

• A new column, DNS Hostname, is added to the top pane of the Machine View. This feature displays the DNS hostname as applicable to each machine. This column is hidden by default. For more information, see Machine View Top Pane Summary.

• An option to choose Scan for Microsoft Preview patches is added to the General tab of the New patch Scan template under Windows Patch Scan Templates. Scan for Microsoft Preview patches option allows users the flexibility to include Microsoft preview patches in the system scans. Microsoft preview patches are updates released by Microsoft that allow users to test upcoming features, improvements, or fixes before they are officially rolled out. For more information, see Creating or Editing a Patch Scan Template.

• Amazon Linux V2 and Amazon Linux 2023 are now supported. For more information, see System Requirements.
• REST API for Policies are enhanced to include contentless Linux machines.
• Support for ESXi 8.0.3 is added and support for vCenter 6.5 is removed.
• Included REST APIs for Contentless Linux Patch Deployment Configuration and Contentless Linux Patch groups. For details, see Contentless Linux Patch Deployment Configuration and Contentless Linux Patch Groups in the separate API documentation (opens in a new window).

• The Machine/OS Listing, Deployment Status by Machine, and Executive Summary reports have been updated to include contentless Linux patching. For more information, see Available Reports.
• A new option, Trusted Domains, is added under the Tools menu. This feature allows you to add and identify permitted domains by creating a list of trusted domain suffixes. Only the domain suffixes included in this list are allowed to communicate with Security Controls. For more information, see Trusted Domains.
• Patch Scans REST API is enhanced to include contentless Linux machines. For details, see Patch Scans in the separate API documentation (opens in a new window).
• Included REST APIs for Linux Package Metadata and Linux Advisory Metadata. For details, see Linux Pacakage Metadata and Linux Advisory Metadata in the separate API documentation (opens in a new window).

• Deploy by Patch severity is now available for the contentless patching for Linux. For more information, see Creating and Editing a Linux Patch Deployment Configuration.
• The Power Status and Machine Patch Status reports have been updated to include contentless Linux patching. For more information, see Available Reports.
• Windows 11, 24H2 is now supported. For more information, see System Requirements.

• Individual packages can now be added to a contentless Linux patch group. For more information, see Creating and Editing a Linux Patch Group.
• CVSS scores are now displayed for contentless Linux patches. For more information, see Viewing Patch and Asset Summaries in Machine View.
• A new set of database views has been added to the database to enable you to generate custom reports for contentless Linux patching. For more information, see Versions of Database Views.
• The POST and DELETE methods sharewithservice have been removed from the Credentials function of the REST API. For details, see Credentials in the separate API documentation (opens in a new window).

• Deploy by Patch Group is now available for the new contentless patching for Linux. You can create patch groups for use with Linux contentless patching from the New > Linux Patch > Patch Group menu, from the Linux Patch Groups list in the navigation pane, or from the Machine View. There are separate Linux patch groups for contentless patching and content-based patching. Only advisories can currently be added to a Linux contentless patch group. For information about creating patch groups for contentless Linux patching, see Creating and Editing a Linux Patch Group.

If you use distribution servers, you MUST update the Linux engine installer on all distribution servers before creating or updating policies to include Linux patch groups. If this is not done, and a new policy is used with an old engine, scans will not work the old engine will interpret this policy to deploy all patches and not just the patches that were approved in the patch group.

• A new option, Require secure LDAP connections, has been added to the Scan Options dialog to prevent the fallback to using the insecure port 389 when querying for OUs or machines in LDAP both in the machine group editor and during a scan. For more information, see Scan Options. By default, this is disabled.

• In 2024, Linux patching in Security Controls is undergoing a major change as it transitions away from the content-based patching of previous versions to contentless patching directly from the distribution's repository. This provides a much more efficient and exhaustive mechanism for patching Linux devices. In this first release, you can scan for all vulnerabilities and then patch all. For more information, see Linux Contentless Patching.

Watch a related video (02:44)

• When scanning virtual inventory, Security Controls now honors all the configured download sources in your vSphere Lifecycle Manager, and also supports upgrading minor versions, such as from 7.0.1 to 7.0.2. A View button has been added to the right-click menu in the Virtual Inventory navigation pane to facilitate viewing your vCenter servers and ESXi hypervisors, and you can right-click the table on the Bulletins tab to export hypervisor bulletin details.

VMware has ended support and technical guidance for versions 6.5, 6.7 and 6.7.1, and security updates are no longer published. Support for these versions will be removed in a future release, leaving the earliest supported version as 7.0. For more information about managing your vCenter servers and ESXi Hypervisors, see Introducing the Virtual Inventory Feature.

• With version 2024.1, new options for configuring the encryption of the connection between the console and SQL Server have been added.
  The new options provide more security, but may need further configuration. The upgrade does not change this setting, leaving it at the least secure but most compatible setting. When upgrading, we recommend you review the database connection encryption setting using the Database Setup Tool (see Set Advanced options - database connection encryption).
• Windows Server 2008 and Windows Server 2008 R2 endpoints are no longer supported.

• The Security Controls REST API has been updated to provide more control of cultures and to enable specifying an instance name if required when deploying patches. For more information, see API help (opens in a new window).
• Windows Server 2012 and Windows Server 2012 R2 clients are supported with Microsoft Extended Security Updates (ESU) and an Ivanti ESU – contact your Ivanti supplier.
• Windows Server 2012 and Windows Server 2012 R2 are no longer supported for the console. For a complete list of supported platforms, see System Requirements.
• The Ivanti Security Controls Diagnostic Toolkit, which provides utilities to help diagnose your system and provide information to support is now available. For more information, see Security Controls Diagnostic Toolkit Release Notes (opens in a new window).

• You can now edit machine details using the REST API. For more information about the REST API, see the separate help (opens in a new window).
• During the automatic cleanup of the download directory, core files are not deleted if the download directory is set to be used as a distribution server. For more information, see Download Options.
• Accessibility improvements.

• Use of the Ivanti Scheduler has been discontinued. The Microsoft Scheduler has been improved to the point that the Ivanti Scheduler is no longer needed. The Microsoft Scheduler is now the default scheduler service and is used when performing power state and patch deployment tasks on remote machines. The scheduler is used to initiate the tasks at the specified time, whether immediately or at some specified time.

With the deprecation of the Ivanti Scheduler, port 5120 is no longer required to be an allowed port in your firewall settings. In addition, when you are certain that all scheduled tasks still using the Ivanti Scheduler have been run, you should remove the Ivanti Scheduler from your target machines.

• A deployment tool is now being pushed to target machines when a patch deployment is performed from the console. The tool is used to execute a deployment package on the target machine. The capabilities of the deployment tool are not new; they used to be included with the Ivanti Scheduler. With the deprecation of the Ivanti Scheduler, however, the deployment tool is now being delivered as a separate component. It will automatically be pushed to target machines when needed. If needed, you can remove the deployment tool from a target machine by right-clicking the machine in Machine View and using the Uninstall deployment tool command.
• For offline virtual machines, patching products installed on virtual disks with the disk mode set to either Independent – Persistent or Independent – Nonpersistent is not supported. If a virtual machine has both dependent and independent disks, you can still install patches for products that are installed on the dependent disks.
• Support for ESXi 6.0 has been dropped and support for ESXi 8.00 and 8.0.1 added. The supported versions of VMware ESXi hypervisors are now ESXi 6.5, ESXi 6.7, ESXi 7.0, ESXi 8.00, and ESXi 8.0.1.
• Removed Microsoft Visual C++ Redistributable for Visual Studio 2013 as a prerequisite software requirement for the console
• A number of known issues have been resolved. See the Security Controls 2023.2 Release Notes for the complete list of resolved issues.

• The Validate Against Known Hosts File option is now available when configuring the SSH server connection process. You should choose this option if you want to use the known_hosts file to validate each target machine before allowing an SSH connection.
• The user interface has been refreshed with new icons and colors, providing a more modern look. A new skin that mimics the look and feel of Windows 11 has also been added. The skin is named WXI and can be found on the Display tab of the Options dialog. WXI is the new default option.
• A number of known issues have been resolved. See the Security Controls 2023.1 Release Notes for the complete list of resolved issues.

• A new "Automate to Compliance" REST API script is now available. The script automates the steps in the patch process (scan, deploy, reboot), repeating the steps until all patches have been deployed to the designated machines.
• The Patch Metadata function in the REST API has been enhanced to provide better sorting and pagination capabilities when viewing the query results.
• The agent client program has been updated. Much more information is now provided in the patch task logs about the patch status (downloads, installs, success, failure, error messages).
• A security enhancement has been made to the SSH server connection process. You now have the option to specify if an SSH connection can be used when the console communicates with an endpoint that supports SSH and for which SMB fails.
• More information has been added to the error codes that are displayed in the Windows deployment history tab in Machine View.
• Deprecation of Windows 8.1: Support for the Security Controls console on the Windows 8.1 operating system is scheduled to end in January 2023.
• A number of known issues have been resolved. See the Security Controls 2022.4 Release Notes for the complete list of resolved issues.

• The ability to automatically clean up your patch download directory and your distribution server(s). Any patches that are unlikely to be used in the future will be deleted from these locations, saving disk space. This option is configured on the Tools > Options > Downloads tab.
• The number of thread pools used when scanning machine groups that contain machines defined by an IP range, a domain or an organizational unit is now automatically capped. This will improve performance by limiting the number of machine groups that can be scanned at one time, keeping the console machine's processors from becoming overloaded. For more details, see the information on the Global thread pool option.
• Localized versions of the agent user interface are now available.
• You now have the option to specify if the agent user interface will be installed. The agent client currently requires the use of .NET 6, and it will likely continue to be updated in the future to use newer versions of .NET as they become available. One of the reasons you may not want the agent client installed is if you have other applications on your machines that also require the use of .NET. If the agent client is not needed, you can shield those machines from the reboots and other effects that occur when an agent is updated to support a new version of .NET.
• Two new Linux patch attributes are now stored in the database and are available for reporting purposes: InstalledOn date and Notification > Title.
• In addition to checking for application updates and End-of-Life notices on launch, the Security Controls console will now check for updates and notices every 24 hours while the Security Controls console remains open. The administrator can snooze the notifications for up to seven days at a time.
• The Security Controls Cloud website has been refreshed. It now has an updated style that is consistent with other Ivanti sites, and modern client libraries are used to help ensure the most secure browsing experience.
• A number of known issues have been resolved. See the Security Controls 2022.3 Release Notes for the complete list of resolved issues.

• An example PowerShell script has been added to the Security Controls REST API Help. This script shows how to add specific KBs to a new patch group or to existing patch groups. If you need to add an out-of-band security patch to many patch groups at once, this script simplifies the process.
• Additional options allow you to more precisely specify which language should be used within the Security Controls interface. In the Tools > Options > Display Options dialog, you can either select a specific language or let the console machine's operating system language setting specify which language should be used. The new language options are applied on a per user basis.
• Support for Red Hat Enterprise Linux 6 has ended. This is because Red Hat has stopped providing maintenance support for Red Hat Enterprise Linux 6.
• Corrected a daylight savings time issue that sometimes caused scheduled scans to run one hour late or become disabled. The fix adds a periodic check that re-enables the scheduled scans.
• A number of known issues have been resolved. See the Security Controls 2022.2 Release Notes for the complete list of resolved issues.

• More complete information is now provided in Machine View and in reports for virtual machines that contain the same name. Previously, only one entry would be created for hosted online virtual machines that had the same name but different vCenter paths. With this release the machines are listed separately, with complete host data path information provided for each machine to show the distinction between the machines.
• An updated Application Control engine component is being made available.
• Additional context is provided on an error message that precedes the unexpected closing of the Security Controls console. The new text makes it clear that the console is closing because it was unable to download the required content data.
• A number of known issues have been resolved. See the Security Controls 2022.1 Release Notes for the complete list of resolved issues.

Ability to Delete a User Whose Credentials are Shared with Other Users

The User Role Assignment dialog has been replaced by the new User Manager dialog. In addition to allowing you to assign different roles to different users, the User Manager dialog now allows you to delete any users who should no longer have access to Security Controls. For example, if one of your administrators has been assigned to a different project or has left your organization, you will want to delete that user. If the user being deleted is currently sharing credentials with one or more users or with background services, you are able to clean up all shared credential associations before you delete the user.

Improved Windows Agent Client Program

The agent client program has been totally reworked, providing an updated look and feel. In addition, the program provides more troubleshooting information and does a better job of presenting the information.

Windows 11 and Windows Server 2022 Support

Support has been added for Windows 11 and Windows Server 2022 for use as a console and on target machines that require patching.

• A number of known issues have been resolved. See the Security Controls 2021.2 Update 1 Release Notes for the complete list of resolved issues.
• The supported versions of VMware ESXi hypervisors are now ESXi 6.0, ESXi 6.5, ESXi 6.7 and ESXi 7.0. Support for ESXi 5.x has been dropped.

If you are using ESXI 7.0 Update 1 or later, the patch offline bundle must be installed on your hypervisor. For more information, see the VMware ESXi 7.0 Update 1 Release Notes.

• The following operating systems are no longer supported:
• The Security Controls console is no longer supported on Windows Server 2008 R2 and Windows 7 operating systems
• The Security Controls agent is no longer supported on Windows 8 and CentOS 6 operating systems
• Agentless operations are no longer supported on Windows XP, Windows Server 2003, Windows Vista and Windows 8 operating systems

Sideload Patches

Sideloading refers to the process of managing patches that cannot be automatically downloaded. The sideload feature greatly simplifies this process. You will need to manually download the patch file, but after that the sideload feature takes over and provides a number of automated services. Specifically, the feature will verify the contents of the manually downloaded patch, rename the file if needed and then automatically save the patch file to the patch download directory. Once there, the patch is ready to be deployed using the normal deployment process.

Automatically Delete Inactive Machines from the Database

The ability to automatically delete inactive machines from the database has been added to the Database Maintenance tool. An inactive machine can be a machine that has not had an agent check in with the console, been assessed or been included in a patch deployment for the specified number of days. This is important, because inactive machines do not accurately depict the current state of your organization.

Continuous Agentless Scanning

You now have the option to configure agentless patch scanning operations on intervals as short as three minutes. This provides the ability to perform nearly continuous scans of a designated machine group.

Scripted Scans and Deployments Using CVEs

A detailed series of PowerShell scripts is provided that show how to scan for and deploy patches using input from a CVE file. The scripts invoke the REST API and perform a number of tasks, including:

• Parsing a CVE file and converting the content to a patch group
• Creating a scan template that scans for the patches contained in the patch group
• Optionally deploying any missing patches

Workstation and Server License Information

Additional details about your current license status are now available in two different locations. You can:

• Select Help > About Ivanti Security Controls on the console to view the number of deployment license seats currently used for both your servers and your workstations.
• Generate a Detailed License Status report that shows the number of available licensed seats, the number of seats used, how and when the seats were consumed and when they will be available again.

• Added a new Configuration method in the REST API that enables you to display version information for the Security Controls console.
• In the Patch Deployments method in the REST API help, a DeploymentResult table has been added containing the codes that identify the various states of a deployment.
• In the Machines method in the REST API help:
• Added the credentialId field to the output model
• Added new PUT operations for assigning and unassigning a credential to a machine
• Added Port 902 information to the Port Requirements table in the System Requirements
• Ended support for CentOS 6 Linux clients. This is because Red Hat has stopped providing maintenance support for CentOS 6.

Connect to Machines by Fully Qualified Domain Name (FQDN)

Prior to this release, the Security Controls console made connections with clients using the IP address of the machines. Some networks, however, have begun to operate in stricter environments that employ the use of additional Kerberos security measures. In particular, if the client machines in your environment establish a connection with servers using the Server Message Block (SMB) protocol, a certain level of validation may be required to be performed on the client's Service Principal Name (SPN). For these networks, you now have the option to choose Fully Qualified Domain Name (FQDN) as your connection method. Doing so will satisfy the additional validation requirements and enable successful connections to your client machines.

Copy Usages Button

For a shared credential, this new button enables you to add any credential usage that is not already being used by your user account. You might do this if the credential owner, or another user who is sharing the credential, has added one or more new usages since the credential was initially shared with you and you want to keep in sync with those changes.

REST API Enhancements

Several new capabilities have been added to the following functional areas in the REST API:

• Patch Metadata: Support has been added for IAVA IDs, and you can now sort and paginate the results of queries. This is implemented with the introduction of three new query URL parameters: iavaIds, orderBy and sortOrder. In addition, nine new output fields are now available: affectedProducts, bulletinTitle, familyId, familyName, fileSize, iava, summary, vendorId and vendorName.
• Machine Groups: The connectionMethod property has been added to the input and output models. This is being done in conjunction with the Connect to Machines by Fully Qualified Domain Name (FQDN) feature (see above).
• Patch Scans: You are now able to specify the connection method in conjunction with the endpoint names specified for scanning. This is being done in conjunction with the Connect to Machines by Fully Qualified Domain Name (FQDN) feature (see above).
• Agent Deployments: The connectionMethod property has been added to the input model. This is being done in conjunction with the Connect to Machines by Fully Qualified Domain Name (FQDN) feature (see above).
• Patch Deployments: You now have the ability to deploy specific patches to specific machines using a designated deployment template. This provides an integrated patching solution for Ivanti Neurons customers, and it is useful for existing on-premise customers who wish to tailor their patch deployment. The following input parameters are now available: deployWhat, machines, and runAsDefault.

Support for Red Hat Enterprise Linux 8

All vendor-supported Server, Workstation, Client and Computer Node variants of RHEL 8 (64-bit only) machines are now able to be scanned and patched using agents.

Support for RHEL 8 is made possible through an update to the dynamic data content that is provided by Ivanti. This means that the two previous versions of Security Controls, 2019.3 and 2020.1, are now also able to support RHEL 8.

Shared Credentials

You can now share credentials with one or more users. This is especially useful in multi-admin environments, as it enables a senior administrator to delegate operations to junior administrators. The junior administrators can interact with endpoints using a secure credential without knowing the password for that credential. In addition, when a password needs updating, it can be updated from a single location.

Grouping of Machines in Machine View and Scan View

The new Assigned Groups column in Machine View and Scan View enables you to group related machines, making it easier to perform agentless operations and generate reports on the machines. This column is particularly useful for machines such as Cloud agents, as those machines do not belong to a machine group. With the Assigned Group feature, you can now group those machines with other machines that share similar attributes, such as the same physical location or agent policy.

Improved Product Licensing Process

A new credentials-based activation method is now available that enables you to specify exactly how many of your available license seats you want to consume on a specific entitlement. This method will be used by new customers who have an internet connection from the console. The legacy key-based activation method is still supported for existing customers who are upgrading and for customers who need to activate from within a disconnected network.

Additional REST API Functionality

The following functional areas are now available through the REST API:

• Cloud Sync
• Machines
• Users

The ability to share credentials and assign a machine to a group has also been added. For complete information, see the REST API help.

Deep Rebrand

References to outdated company and product names have been scrubbed. Directory paths and other items that contain company and/or product names are now current.

Software Distribution Notification

A notification dialog is now provided whenever you add a software distribution patch to a patch group or initiate a scan for third-party applications. This warning will help prevent the inadvertent installation of third-party applications on your endpoints.

Improved List of Port Requirements

The Port Requirements table in the System Requirements help topic now contains much greater detail.

Patch Breakdown Column Renamed to Health

Within Machine View and Scan View, the Patch breakdown column has been renamed to Health. The new name better reflects the purpose of the column, which is to indicate the "health" of a machine by providing a visual representation of the percentage of installed patches vs missing patches.

Carry Original Scan Name into the Associated Deployment Name

When a patch scan is followed by an automatic patch deployment, the scan name is now associated with the corresponding deployment operation.